search

voxpupuli / puppet-corosync

Sets up and manages Corosync.
https://forge.puppet.com/puppet/corosync
Apache License 2.0
44 stars 161 forks source link

Converge quorum member auth #525

Open optiz0r opened 2 years ago

optiz0r commented 2 years ago

Pull Request (PR) description

The current code for authenticating to quorum members runs the auth command on every puppet run. This both updates the credentials on disk, and generates a puppet change event, which are btoh undesirable.

The proposed change checks to ensure all quorum members have an auth token in the credentials file, and updates auth for all members if any one member is missing. This results in a convergent state.

There is a caveat, in that what gets stored in the credentials file is not the original password, but an auth token. There does not seem to be a pcs command to check the tokens are still valid. So this code is only checking for presenence of auth tokens, not correctness. If the authentication token is later invalided, puppet will not correct this. It would be necessary to manually run the pcs host auth or pcs cluster auth commands to fix it.

This Pull Request (PR) fixes the following issues

Fixes #500

optiz0r commented 2 years ago

The three failing test suites don't look to be failing in relation to my changes.

optiz0r commented 2 years ago

~This actually isn't working quite as expected, it causes failures on the first run, and then converges on the second run.~ Solved by latest force push.

Old logs ``` Notice: /Stage[main]/Corosync/Exec[authorize_member_node1]/returns: Error: Unable to synchronize and save tokens on nodes: node2. Are they authorized? Notice: /Stage[main]/Corosync/Exec[authorize_member_node1]/returns: node1: Authorized Error: 'pcs cluster auth node1 -u hacluster -p PASS' returned 1 instead of one of [0] Error: /Stage[main]/Corosync/Exec[authorize_member_node1]/returns: change from 'notrun' to ['0'] failed: 'pcs cluster auth node1 -u hacluster -p PASS' returned 1 instead of one of [0] (corrective) Notice: /Stage[main]/Corosync/Exec[authorize_member_node2]/returns: executed successfully (corrective) Notice: /Stage[main]/Corosync/Package[corosync-qdevice]/ensure: created Notice: /Stage[main]/Corosync/Exec[pcs_cluster_temporary]: Dependency Exec[authorize_member_node1] has failures: true ```